Import substitution in practice. Part 1. Options

Introduction

Due to the fact that 2020 is approaching and the “hour of he”, when it will be necessary to report on the execution of the order of the Ministry of Communications on the transition to domestic software (within the framework of import substitution), and not simple, but from the register of the Ministry of Communications and Mass Communications , the task of developing a plan arrived in fact, according to the execution of the order of the Ministry of Communications and Mass Communications No. 334 of 06/29/2017. And I began to understand.

The first article was about how the Russian Helicopters should not have been done . And she caused so much HYIP, so many comments were written under it, that I, frankly, was a bit shocked ...
')
So, as promised, it’s time to start “a series of articles about how we executed orders and fought against circumstances.” I don’t know how long this cycle will be, but there is a desire to describe the whole process from beginning to end, but there’s not enough time, because writing articles takes a lot of time, and you have to feed the family =)

The first article will be devoted to the study of existing options and their superficial analysis in order to chart the study of options in practice. For before you assemble a test bench, you need to understand what to experience on it.
So, please under the cat.

Chapter 1. As It Is

In order:

Hyper-V, ESXI as virtualization platforms. Why both? Because one in the head office, the other in the branch. So historically (with)

Windows Server 2012 R2 \ 2016 and CentOS 7 as server OS

Windows 7 as client OS

1c at the implementation stage based on MSSQLServer Standard

TEKTON on Firebird 1.5 (Do not even ask ... But you still ask, yes? .. Well, this is someone's warm project that our Enterprise bought at the turn of 2005, it seems, for reasons unknown to me. And now we are trying unsuccessfully switch from it to 1c ..)

OASIS on the same MSSQLServer Standard as reporting software to the FIU

Zabbix on MariaDB

Exchange and Zambra OSE . Why this and that? Because we have 2 network contour. One of which is in no way connected with the outside world and the second circuit ... well, IB thinks that it is necessary, and does not allow us to configure routing and do everything correctly, and who are we to argue with IB? .. In a word, it has historically (c) (2)

IFS at Oracle , CompanyMedia at IBM Domino . We have the first for pre-contractual activities, the second - the “working” workflow ... Why is CompanyMedia on the file database in 2019m? Do not believe it, I asked them the same question - they did not come up with an answer. And why is a monster like IFS needed for pre-contractual activities? Yes.

Microsoft Office . Here it is necessary to clarify. In addition to the standard user set, we have from time immemorial (read before I came here) we have a database written in Access. What is in it and why - I have not the slightest idea, but “we need it, ooooochen, we cannot work without it!”, And Excel has a taaaaaaaaaaa thing ... We can't figure out how it works — it's impossible, and how leave - also unknown. There a huge number of macros are wound up, which pull data out of the darkness of files and do something with it. Even the author of this creation does not know how this works. Rewriting this is akin to database redesign ... In a word, we simply cannot get away from MS Office.

Satellite as an internet browser recently

OpenFire + Pidgin as a chat

Consultant + and TechExpert

Veeam Backup & Replication and Veeam Agent for Windows in their free version

Well, a bunch of Windows server chips, such as AD, DNS, DHCP, WDS, CS, RDP, Remote App, KMS, WSUS, and further on the little things.

All this rose almost from scratch, sweat and blood, suffering and googling. And now it's time to destroy it all. There should be offscreen Homeric laughter, and in the eyes of the protagonist, read me, tears should come to light ...

But is it all terrible? Let's watch the options.

Chapter 2. How it should be

You can go along the path of "Helicopters of Russia", that is, try to completely reject the enemy Windows-based systems, and switch to 100% "domestic" (quotes are not random) software. The “hardcore” version assumes fun to tear down all Windows, put any OS you like from the registry of the Ministry of Communications with MoyOffice or LibreOffice rolled onto it, and see which user comes up. Fun? Of course. Productive? Not at all.

To understand further reasoning, I’ll give the contents of the software in the Astra Linux OS SE 1.6 OS , from which it follows that the entire infrastructure, which is now based on Microsoft products, can be replaced with software in the Astra structure. You can - does not mean you need. I have not tried it all in a test environment with at least a couple of dozens of nodes, I just deployed a test stand, and even then I looked superficially. But there are tools.


On the OS website in the description of the release there is a tale that Zabbix is ​​present as part. But if you dig into the Wiki, then there is an article about how to install Zabbix ... from which we can conclude that Apache, Postgre, php - everything is installed from the repository. And we said above that only what is included in the package is legitimate ... And this confusion puts me out of myself !!!! 11 Well, in the sense that it is not clear what can and should be and what should not "it's not gonna go". It turns out that the packages from the repository are also legitimate. But is it? It seems that - yes, but ...

As a result, one has to assume that everything that is in the OS repositories can be called domestic software. Turning off the logic and just doing what everyone else does. We install, use and report on import substitution. In the end, we all know why all this was invented ..

You can also raise the entire infrastructure and based on the ROSA Linux Enterprise Server . I haven't tried this either. (All tests and results will be published in the next article in this series, if everything goes as planned.)


And you can take a free Calculate Linux and build the entire infrastructure on its base. A list of Calculate Linux packages can be found here .

It follows from the above that it is possible to raise all the necessary infrastructure, in essence, from scratch. This will require huge resources, tons of admin nerves, kilotons of coffee and a lot of time to debug. The threshold of entry will be sooooo hard to overcome. But you can. But difficult. But it will work. But difficult. But ... But ...

Another option is to leave everything as it is, and hope that there will be no checks, and they will simply forget about us. But we also need to report to the Ministry for the transition to domestic software for each year. So, too, is not an option.

Therefore, I propose to approach from the side of common sense.

There is such a sign:



Further, there are, in fact, lengthy arguments, so that anyone is not interested, you can immediately go to the resulting table (Chapter 2.1.). And for those who love mnogabukaff - you are welcome.

So here. We need to bring indicators to the established limits. In practice, this means that we must replace the existing OS with products from the register of the Ministry of Communications and bring the number of replaced operating systems to 80%. And no distinction is made between server and client OSes. This gives us room for maneuver. Which one We can put the OS-based thin clients from the registry, and drive them all into the RDP. In our case, when the number of employees is about 1,500 people, we get 1,200 "pieces" (actually more, since we have not only user axes, but also server ones, but the article is not about exact calculations), but 300 remains for those the most 20% that can not be changed. And what, we do not have enough 300 servers for Windows to properly build a familiar architecture? This should also include specific software that can not work on anything other than Windows, and often also on Windows XP. But 300 cars. Will not be enough? Seriously?

Here it is also necessary to note that best practice in this case will be an advanced training of employees to work with new software. Without this, there is a huge risk of simply bringing the entire production to its knees, and paralyzing the work of the whole Enterprise for an indefinite period. For if everything is not so bad with the OS, the user often doesn’t need anything from her except to launch the Office application \ browser \ 1c, search for the necessary file and launch the soliter. But in the Office \ 1c, they work constantly (for the time being we don’t take into account the design engineers - there is a footnote about CAD in Chapter 2.1. - production, etc.), all reporting passes through Excel filters, etc. Well, for those who for one reason or another can not work in free software - welcome to RDP.

So, we can safely leave the cluster on Hyper-V , since we have one and we like it, this is 12 nodes in our case, we have to leave ESXI . Plus, it needs an “iron” domain controller + virtual domain controller. Total 14. Well, or leave ESXi, having gone from Hyper-V, as you like, the numbers will still be the same. On the Domain Controllers we will have AD, DNS, DHCP, CS . With a small number of screw machines WSUS can be neglected. KMS can also be screwed onto a domain controller. WDS is no longer needed. From the Windows services there are still RDP servers . Well, we still have 286 unused potential “pieces” under Windows left. The RDP farm will occupy another 8-10 Windows operating systems. Total 276 units we have left under the specific software for research departments and CAD.

Chapter 2.1. Information

As a result, I had such a table with options, on the basis of which conclusions will be drawn and plans will be made:


Which is logical - if you still need to switch from a Windows domain to Astra or Rosa, or some other, then it makes sense to transfer client machines to a product of the same manufacturer, so you can reduce the number of errors when trying to make friends with one another.

In relation to PostgreSQL and PostgreSQL PRO, it should be understood that they have significant differences , including in speed. PRO version is more productive. For the “normal” operation of the same 1c, the free version is most likely not enough.

Astra Linux SpecialEdition and ROSA DX "NICKEL" are secure systems that are certified for working with the state secret, secret, etc.

As for CAD : In the comments to the previous article, these questions sounded. ROSA Linux has the following packages in the repositories:

• Freecad
• Kicad
• Librecad
• Opencascade
• QCAD
• QCAD3d

Naturally, all this is free software. But, since CAD-packages are not indicated in the register of the Ministry of Communications, this type of software will most likely fall under the category of “indispensable”, and it can be purchased or used under existing licenses by writing the appropriate paper to the Ministry.

It is the same with other highly specialized software, which, unfortunately, is a lot on our Enterprises. We'll have to write paper and tearfully beg not to ruin, and provide an opportunity to continue to work. Most likely they will give permission.

PS:

I will not be original. All this "fuss" with import substitution looks extremely strange, if you choose soft expressions. In fact, our software only produces Yandex , Acronis , Kaspersky , 10-Strike (with a stretch), 1s , Ascon , Abby , Dr.Web . Well, a handful of small companies. But all this is so narrow niche development (with the exception of Yandex, perhaps) that we can say that we almost do not do software. And everything that is offered to us as part of the import substitution program is simply “proven” software of foreign development. That is, in fact, we are offered for money (and considerable) the same software that we could download and use for free. ROSA is made on the basis of Mandriva, Astra - Debian GNU. Astra can connect the Debian repository and upgrade. The interesting thing is the result. All the packages for the same DNS, DHCP, ALD, ROSA Domain, Dovecot and all the rest are nothing more than open source packages, some of which were “tinted and plastered a little”, and the others were not touched at all, just “checked” availability of bookmarks. What kind of "domestic software" in question is unclear.

On the other hand, Linux administrators will be accustomed to working with already familiar software, which will somewhat lower the threshold of entry. But be that as it may, all controlled industrial enterprises will have to switch to this “domestic” software. So “see you in the next article,” if they do not plant me for this and do not dismiss me =)